Sunday, January 31, 2016

A Response to Cambridge's Video on Chip and PIN Fraud

Frequently, I see people referring to this video from Cambridge University explaining several Chip and PIN fraud possibilities as evidence that Chip and PIN is broken. I would like to take this opportunity to post my thoughts on this video and explain how, in the context of the current rollout of EMV in the United States, this isn't necessarily a huge deal.

The first thing to keep in mind is that, as I wrote previously, the United States is mostly transitioning to Chip and Signature, rather than Chip and PIN. Since my last post, a couple more banks and credit unions have come out with Chip and PIN credit cards, but the majority of EMV credit cards in the United States remain Chip and Signature, and one of the issuers that was Chip and PIN when I wrote that post has changed to Chip and Signature. Whether issuers transition to Chip and PIN in the US at some point in the future remains to be seen.

The attacks described in the video fall into three basic types, and I'll go over them one by one:

The first attack describes tampering with the card reader such that the flow of information in the link between the card reader and the card itself is intercepted, allowing someone to read off the card details and PIN. This certainly is a possible attack, but has been mitigated in a couple of ways. The first is to encrypt the PIN before sending it to the card. This means that the attacker wouldn't be able to read the PIN. The second is to have the PIN verified, not by the card itself, but by the bank that issued the card. This sort of over-the-network PIN verification is always encrypted, so the attacker would not have access to it. This is also how magnetic stripe debit card PINs in the US have been verified for many years. There are still cards and terminals out there that support unencrypted PIN verification by the card, so the attack possibility remains, but keep in mind that this still is only a disclosure of the PIN, and not the private keys on the card that would be needed to manufacture a clone of a chip card.

In the United States, this attack is mostly irrelevant. With nearly all US-issued cards being signature-preferring, if they support PIN at all, the PIN would rarely be needed by the customer and thus there is no PIN to capture. In the case of debit cards, which require a PIN when run as "debit" and may use a PIN when run as "credit", the PIN is always encrypted and sent over the network to be verified by the bank. It doesn't make sense to me for an attacker in the US to focus on PIN collection in this manner, since most transactions would not use a PIN in the first place so there would be nothing to capture.

The second attack uses a device between the card and the terminal that makes the terminal think the PIN was accepted by the card while the card thinks its doing a Chip and Signature transaction. This allows an attacker to use a stolen card without knowing the actual PIN, since the card thinks it's performing a signature transaction, while the intermediary chip returns a "correct PIN" response to the terminal in all cases. The problem is that there is nothing that verifies that the card and the terminal have the same view of the transaction. Fortunately, an improved method of authenticating that the card itself is legitimate, called "Combined Data Authentication" or "CDA", includes a way for the terminal or payment processing network to detect this inconsistency. As noted by SecurityWeek, CDA prevents this sort of attack.

Like the first attack, attack also doesn't seem to make much sense in the United States. With the majority of cards being issued as Chip and Signature instead of Chip and PIN, the attacker doesn't need to perform this attack to use a stolen card without knowing the PIN. Instead the attacker simply forges a signature on the receipt or PIN pad.

The third attack uses a terminal that displays a small transaction amount to the user while processing a large transaction amount. I don't really consider this a Chip and PIN attack at all, since I don't see why this attack couldn't be done with a magnetic stripe or Chip and Signature card. The solution here is to get a receipt, since the receipt would either show the large transaction amount and be immediately noticed by the cardholder, or the receipt would show the small transaction amount and thus would differ from the processed transaction amount, providing evidence that would allow the cardholder to more successfully dispute the transaction with their bank.

Ultimately, there's not a lot a cardholder can do to reduce the risk from these attacks. The first two aren't immediately relevant in the US since few US issuers are issuing Chip and PIN cards anyway. We can only hope that if they do start to, they take advantage of the latest enhancements to EMV technology, avoiding unencrypted PINs and using CDA. As for the third, that's really about good cardholder practices and doesn't have anything to do with Chip and PIN specifically.